Privacy Policy

Introduction

This Privacy Policy (hereinafter referred to as the "Privacy Policy") applies to the users of the CARLOW platform, which refers to the website accessible at the address https://www.carlow.fr/ and operated by the company SOLELH ENERGIE (hereinafter referred to as the "Operator" or "CARLOW").

The purpose of this Privacy Policy is to inform the users of the Platform on how their personal data is collected and processed.

The protection of privacy and personal data is a priority for CARLOW. The collection and processing of data are carried out in compliance with data protection regulations, particularly the General Data Protection Regulation (GDPR) No. 2016/679 (hereinafter referred to as the "GDPR").

MORE INFORMATION :

What is Personal Data?

"Personal Data" refers to any information concerning a natural person that allows them to be identified directly or indirectly.

Example 1: Your first and last name and/or a photo allow you to be identified directly.

Example 2: Your email address allows you to be identified indirectly.

What is Processing?

The term "Processing" refers to any operation or set of operations carried out on Personal Data, regardless of the method used (collection, recording, organization, storage, adaptation, modification, extraction, consultation, use, communication by transmission, dissemination, or any other form of provision, alignment or interconnection, locking, erasure, or destruction).

Article 1.

Definitions

The terms used below have the following meaning in this Privacy Policy :

· "Client": Refers to any person who guarantees having professional status as defined by French law and jurisprudence, who accesses the Platform by registering and can place an order for a Product from the Seller of their choice. As such, it is expressly provided that the Client is a natural or legal person, whether public or private, acting for purposes that fall within the scope of their commercial, industrial, artisanal, liberal, or agricultural activity.

· "Order": Refers to any purchase of Products made by a Client on the Platform.

· "Account": Refers to the interface hosted on the Platform where all the data provided by the Client is gathered, allowing them to manage their Orders. Access to the Account is granted through Identifiers.

· "Data" or "Personal Data": Refers to personal data that is subject to Processing under this Privacy Policy, as defined in Article 4(1) of the GDPR.

· "Payment Service Provider" or "PSP": Refers to the company holding a banking license that provides CARLOW with payment services, enabling it to process Client payments. CARLOW’s Payment Service Provider is Stripe Payments Europe Ltd, a company under Irish law with its registered office located at The One Building, 1 Lower Grand Canal Street, Dublin 2, Ireland, authorized to operate within the European Economic Area as an electronic money institution authorized by the Central Bank of Ireland under number C187865.

· "Products": Refers to the following ranges of products that can be sold on the Platform by a Seller:

o Photovoltaic: modules, inverters, rails, monitoring, wiring, fasteners

o Biomass: stoves, inserts, boilers, ovens, tubing

o Heat pumps: outdoor or indoor unit, split, tank, ductable pipe

o Solar: generator, tank, battery, lighting, aerovoltaic

o Building Management System (BMS): equipment components of a building energy management system aimed at improving energy performance.

· "General Data Protection Regulation" or "GDPR": Refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons concerning the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC.

· "Data Controller": Refers to the person who determines the purposes and means of Processing in accordance with Article 4(7) of the GDPR.

· "Services": Refers to all the services provided by the Operator to Users through the Platforms.

· "Processor": Refers to the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Data Controller in accordance with Article 4(8) of the GDPR.

· "Processing/Process": Refers to any of the operations referred to in Article 4(2) of the GDPR performed on Personal Data as part of the execution of this Privacy Policy.

· "User": Refers to any person who accesses and navigates the Platform, whether as a simple visitor, Seller, or Client (also referred to as "You," "Your," "Yours").

· "Seller": Refers to any person who guarantees having professional status as defined by French law and jurisprudence, who accesses the Platform to sell their Products to Clients. As such, it is expressly provided that the Seller is a natural or legal person, whether public or private, acting for purposes within the scope of their commercial, industrial, artisanal, liberal, or agricultural activity.

Article 2. Who is the Data Controller?

As part of providing various Services, CARLOW acts as the Data Controller in relation to you, as defined in Article 4(7) of the GDPR.

Contact details for CARLOW: Simplified joint-stock company with a share capital of €1,000, registered with the Trade and Companies Register of Aubenas under number 987 424 983, whose registered office is located at 425 Chemin des Souliers, 07200 Vesseaux - email: contact@carlow.fr.

MORE INFORMATION :

The Data Controller is, under the French Data Protection Act and the GDPR, the person who determines the purposes and means of Processing. When two or more Data Controllers jointly determine the purposes and means of Processing, they are considered joint controllers (or co-controllers).

A Processor is a person processing personal data on behalf of the Data Controller. They act under the authority and instruction of the Data Controller.

Article 3. How do we collect your data?

As a general rule, all personal data concerning you is collected directly from you.

For example, during the provision of Services or in exchanges with CARLOW (contact requests, emails, etc.).

Additionally, data related to your browsing on the Platform may be used to tailor our commercial and advertising offers to your needs and interests.

Article 4. What are the purposes and legal bases of the processing we undertake?

When the legal basis for the processing operations we carry out is based on the pursuit of a legitimate interest, as a concerned individual, you may request additional information on the balancing of interests.

We collect only the data necessary for the purposes explicitly and specifically outlined below :

TRAITEMENTS	FINALITES	BASES LEGALES
Platform functionalities and maintenance	- General administration of the Platform; - Performance of maintenance operations; General management of Platform security; - Use of cookies and other trackers necessary for Platform operations; - Conducting usage statistics ;	Our legitimate interest in ensuring that users have the best possible experience on the Platform.
Personalization of Platform usage	- Use of cookies and other trackers to personalize your experience and target your needs; - Personalization of the User profile.	Your consent, which can be withdrawn at any time.
Provision of Services	- Managing requests for account creation, modification, and deletion; - Providing and delivering Services to Users; - Monitoring and controlling the proper use of Services; Sending non-commercial information related to the provision of Services; - Conducting usage statistics.	Contractual – Processing is necessary for the execution of a contract or pre-contractual measures.
Order management and tracking	- Tracking and managing Orders; - Transmission of Client Data to the Seller; - Managing payments (transmission of Data to the PSP).	Contractual – Processing is necessary for the execution of a contract or pre-contractual measures.
Handling contact requests, information requests, and complaints	- Handling information requests; - Following up on requests.	Contractual – Processing is necessary for the execution of a contract or pre-contractual measures. Our legitimate interest in responding to your inquiries.
Marketing activities	- Conducting marketing campaigns (email, phone, mail); - Creating statistics on marketing operations.	Our legitimate interest in offering you deals as part of our business development. These messages are sent to you as a Platform User. You have the option to unsubscribe at any time via the provided unsubscribe links. Consent is required when applicable.
Sending the Newsletter	- Managing newsletter subscriptions; - Creating statistics on the use of Services.	Your consent, which can be withdrawn at any time.
Managing rights requests	- Tracking the handling of requests; - Performing operations on your data as part of rights requests.	Our legal obligations arising from Articles 15 et seq. of the GDPR and the French Data Protection Act (Informatique et Libertés).

Article 5. What types of data are collected?

The mandatory or optional nature of the Personal Data collected and any possible consequences of failure to provide it are indicated during the various contacts with Users.

You can consult the details of the Data we may hold about you below:

PROCESSING	DATA COLLECTED
Platform functionalities and maintenance	- Information associated with the Account (title, first name, last name, personal details, orders/sales...); - Connection logs, device identification data, Service usage data, and activity history on the Platform; - Data collected through technical cookies and other trackers; - Statistics.
Personalization of Platform usage	- Information associated with the Account (title, first name, last name, personal details, orders/sales...); - Connection logs, device identification data, Service usage data, and activity history on the Platform; - Data collected through technical cookies and other trackers; - Statistics.
Provision of Services	- Information associated with the Account (first name, last name, title, personal details...); - Contractual information related to the subscription to Services; - Connection logs; - Data related to Service usage; Statistics.
Order management and tracking	- Information associated with the Account; - Contractual information related to Service subscription; - Information related to requests and disputes between users/complaints.
Handling contact requests, information requests, and complaints	- Information associated with the requester (title, first name, last name, contact details); - Information related to the request; - Statistics.
Marketing activities	- Civil status data of customers/prospects (title, first name, last name); - Personal or professional contact details (position, email, contact information...); - Expressed interests in Services/Service usage; - Information related to event organization; - Data related to interactions with our services on blogs, forums, and social media; - Statistics.
Sending the Newsletter	- Civil status and email data; - Statistics.
Managing rights requests	- Data related to your identity: title, first name, last name, address, phone number, email address, date of birth. - An identity document may be kept as proof of exercising a right to access, rectify, or object, or to comply with a legal obligation; - Data related to your rights request; - Statistics.

The details of the information provided above are not exhaustive and primarily aim to inform you of the categories of Data that CARLOW may process.

In any case, CARLOW undertakes to process all collected Data in compliance with the GDPR.

When the collection of this information is regulatory, contractual, or a condition for entering into a contract, or if there is an obligation to provide the information, we will indicate it with a note such as "*".

Failure to provide this information may result in CARLOW terminating or not offering its Services to you.

Article 6. Who can access your personal data?

Within the limits of their respective responsibilities and for the purposes mentioned above, the main individuals who may have access to your Data are as follows :

Authorized personnel of CARLOW;

If applicable, authorized personnel of CARLOW’s subcontractors: platform hosting provider, logistics partner...;

Companies responsible for managing the hosting of the Platform and CARLOW’s IT system;

Sellers if you are a Client;

Clients if you are a Seller;

If applicable, third parties involved in billing operations: Banks, Payment Service Providers...;

If applicable, relevant courts, mediators, accountants, auditors, lawyers, bailiffs, debt collection companies, police or gendarmerie authorities in case of theft or judicial requisition;

If applicable, third parties that may place "commercial" cookies on your devices (computers, tablets, smartphones...) when you consent.

MORE INFORMATION ON OUR SERVICE PROVIDERS:

- Stripe Payments Europe Ltd, a company under Irish law with its registered office located at The One Building, 1 Lower Grand Canal Street, Dublin 2, Ireland.

- Comptoir du code SAS, with a share capital of €27,860, registered with the Trade and Companies Register of Lille under number 809017429, whose registered office is located at 165 avenue de Bretagne, 59000 Lille.

Your Data is not communicated, exchanged, sold, or rented to any other persons than those mentioned above without your prior express consent, in accordance with applicable legal and regulatory provisions.

Article 7. How long do we retain your data?

We only retain your Data for the time necessary to achieve the purposes pursued, as summarized in the table below:

PROCESSING	RETENTION PERIODS
Platform functionalities and maintenance	- For the duration of the contractual relationship, then archived for five (5) years for evidence purposes. - Connection logs and activity history are retained for no more than six (6) months.
Personalization of Platform usage	- For the duration of the contractual relationship, then archived for five (5) years for evidence purposes.
Provision of Services	- For the duration of the contractual relationship, then archived for five (5) years for evidence purposes. - Connection logs and activity history are retained for no more than six (6) months.
Order management and tracking	- For the duration of the contractual relationship, then archived for five (5) years for evidence purposes. - Accounting documents are retained for ten (10) years.
Handling contact requests, information requests, and complaints	- For the time necessary to fully process your request, then for a period of two (2) years from the last update related to your request. - If your request relates to the execution of your contract, the maximum retention period will be five (5) years after the end of our contractual relationship (for evidence purposes). - If your request concerns a complaint, the data will be retained for the duration of the complaint process and, if applicable, until all ordinary and extraordinary remedies have been exhausted.
Marketing activities	- For a period not exceeding three (3) years from the last positive contact from you and/or from the end of our business relationship.
Sending the Newsletter	- Data is retained until consent is withdrawn (unsubscription via the link provided for this purpose), or if applicable, for the duration of the contractual relationship, then archived for three (3) years after the end of the contractual relationship or three (3) years after the last contact with CARLOW.
Managing rights requests	- Personal Data related to the management of rights requests is retained for the time necessary to process the request, then archived for six (6) years for evidence purposes (Art. 8 of the French Code of Criminal Procedure).

Article 8. Details concerning payment services

8.1. What are the purposes of Processing?

Clients wishing to place an Order on the Platform must use the payment services provided by the Payment Service Provider (PSP). The amounts due for the Order are collected by CARLOW through the PSP.

The PSP is legally required to perform anti-money laundering, counter-terrorism financing, and fraud prevention checks.

Consequently, the PSP and CARLOW process Client Data during the financial transaction related to the Order for the following purposes:

- Processing payment data for transaction completion:

Details & Legal Basis:

Purpose: Execution of transactions.

Legal Basis: Contractual – Processing is necessary to perform pre-contractual measures at your request for the provision of payment services.

- Processing Data for the implementation of control procedures:

Details & Legal Basis:

Purpose: Processing necessary for the implementation of control procedures.

Legal Basis: Legal Obligation – Processing of Data necessary for the prevention of fraud, terrorism financing, and money laundering under a legal obligation that applies to the PSP as a payment service provider.

8.2. What is the status of the involved parties?

8.2.1. Processing payment data for transaction completion:

The PSP is considered the Data Controller for the Data Processing related to the management of Product payment Orders.

8.2.2. Processing Data for the implementation of control procedures:

The PSP is legally required to process the Data necessary for the implementation of control procedures. As such, the PSP is considered the Data Controller for the Processing of Data in the context of implementing control procedures.

MORE DETAILS & LEGAL BASIS:

The payment service provider for the Platform is Stripe Payments Europe Ltd, a company under Irish law with its registered office located at The One Building, 1 Lower Grand Canal Street, Dublin 2, Ireland, authorized by the ACPR.

For any questions regarding the management and use of your Personal Data, you can contact the PSP by :

· Email: dpo@stripe.com

· Mail: The One Building, 1 Lower Grand Canal Street, Dublin 2, Ireland.

8.3. Retention period for payment data

Except as provided in the following paragraphs, bank details will no longer be retained once the transaction has been completed by the PSP, meaning once full payment for the selected Product has been received by the Seller, and the fourteen (14) day withdrawal period has expired.

The bank details of Sellers (RIB/IBAN, account number) are retained to allow the transfer of amounts owed under Sales Contracts for the duration of the contractual relationship to execute Payment Services (or until the data is deleted or modified by the Seller).

It should be noted that for payments made by bank cards, such data may be retained as evidence if the transaction is disputed, stored in temporary files for thirteen (13) months (or fifteen (15) months if payment is deferred) from the date the debit is made.

In any case, the security code (CVV) is not subject to retention, and the bank details are deleted upon the expiration of the aforementioned period.

For longer retention of your payment data to avoid entering it for each transaction, your express consent will be required to retain the Data until (i) the expiration of the card’s validity or (ii) the termination of the contract binding you to CARLOW.

You can withdraw your consent and delete or modify this Data at any time.

Article 9. Details concerning social networks

When browsing the Platform, Users may click on social media icons (Facebook, LinkedIn) available on the Platform.

Social networks enhance the user experience on the Platform and promote its visibility through shares.

When Users use these buttons, CARLOW may access personal information that Users have marked as public and accessible from their Facebook and LinkedIn profiles.

However, CARLOW does not create or use any database from Facebook or LinkedIn and does not exploit any private data of Users through this method.

MORE DETAILS :

To limit third-party access to the personal information present on Facebook and LinkedIn, we invite you to adjust your profile settings and/or the nature of your posts through the dedicated sections on the social networks Facebook, LinkedIn, etc., to limit the audience.

Article 10. What are your rights?

In accordance with the GDPR, you have several rights regarding your Personal Data:

Right of access: You have the right to access all your Personal Data at any time, in accordance with Article 15 of the GDPR.
Right to rectification: You have the right to correct your inaccurate, incomplete, or outdated Personal Data at any time, in accordance with Article 16 of the GDPR.
Right to erasure: You have the right to request that your Personal Data be erased and to prevent its future collection for reasons set forth in Article 17 of the GDPR, particularly when the data is inaccurate, incomplete, ambiguous, outdated, or when its collection, use, communication, or storage is prohibited.
Right to restriction of processing: You have the right to request that we temporarily freeze the use of some of your data under the conditions specified (Article 18 of the GDPR).
Right to object: Under Article 21 of the GDPR, you have the right to object to the Processing of your personal data. However, please note that we may continue to process it despite your objection for legitimate reasons or for legal claims.
Right to data portability: Under certain conditions specified in Article 20 of the GDPR, you have the right to receive the Personal Data you provided to us in a standard machine-readable format and to request its transfer to the recipient of your choice.

You also have the following rights:

Right to withdraw your consent at any time: For Processing based on consent, Article 7 of the GDPR stipulates that you may withdraw your consent at any time. This withdrawal will not affect the lawfulness of the Processing carried out before the withdrawal (Article 13-2c of the GDPR).
Right to determine the fate of your Personal Data after your death: You may choose whether we communicate (or not) your Personal Data to a third party you have designated beforehand (Article 85 of the French Data Protection Act).

These rights can be exercised by :

o Email: contact@carlow.fr

o Mail: 425 Chemin des Souliers, 07200 Vesseaux

o Through the online form.

You also have the right to lodge a complaint with a supervisory authority, particularly the CNIL (https://www.cnil.fr/fr/plaintes).

As of now, CARLOW does not carry out any automated decision-making that may have legal effects on you or affect you significantly.

Article 11. What about connection data and cookies?

CARLOW uses connection data (date, time, IP address of the visitor’s computer, page visited) and cookies (small files saved on your computer) on the Platform to identify you, track your visits, and benefit from audience measurement and statistics, particularly related to the pages visited.

Depending on the purposes, Users may consent to, refuse, or select which types of cookies to allow on their devices. This information is retained for a maximum of thirteen (13) months. After this period, raw traffic data associated with an identifier is either deleted or anonymized. Information collected through trackers is retained for twenty-five (25) months. After this period, such data is deleted or anonymized.

When browsing the Platform, you may have the opportunity to click on social media icons, particularly LinkedIn.

Social media networks help enhance the usability of our Services and promote them through shares.
When users click on social media sharing buttons, CARLOW may access the personal information users have marked as public and accessible from their social media profiles. However, CARLOW does not exploit any data related to your private life through this method.

Article 12. Are your data transferred outside the European Union?

As a general rule, CARLOW processes your Data within the European Union.

Given the evolution of our activities, we may be required to transfer your Data outside the European Economic Area. In such a case, we will inform you of these developments.

Article 13. What security measures are in place to protect your data?

We implement all necessary technical and organizational measures to ensure the security of our personal data processing and the confidentiality of the data we collect.

As such, we take all necessary precautions considering the nature of the data and the risks posed by the processing to safeguard its security and, in particular, to prevent it from being distorted, damaged, or accessed by unauthorized third parties.

Article 14. Updates to our Privacy Policy

This Privacy Policy may be modified, particularly in light of legislative and regulatory developments.

The updated version can be consulted directly on our Platform.

Version dated 10.09.2024

Cookie name	Provider	Purpose	Expiry
cookiesplus	www.carlow.fr	Conserver vos préférences en matière de cookies.	1 année
PrestaShop-#	www.carlow.fr	Ce cookie permet de garder les sessions de l'utilisateur ouvertes pendant leur visite, et lui permettre de passer commande ou tout un ensemble de fonctionnement tels que : date d'ajout du cookie, langue sélectionnée, devise utilisée, dernière catégorie de produit visité, produits récemment vus, accord d'utilisation de services du site, Identifiant client, identifiant de connexion, nom, prénom, état connecté, votre mot de passe chiffré, e-mail lié au compte client, l'identifiant du panier.	480 heures

Cookie name	Provider	Purpose	Expiry
collect	Google	Il est utilisé pour envoyer des données à Google Analytics sur l'appareil du visiteur et son comportement. Suivez le visiteur à travers les appareils et les canaux marketing.	Session
r/collect	Google	Il est utilisé pour envoyer des données à Google Analytics sur l'appareil du visiteur et son comportement. Suivez le visiteur à travers les appareils et les canaux marketing.	Session
_ga	Google	Enregistre un identifiant unique utilisé pour générer des données statistiques sur la façon dont le visiteur utilise le site.	2 années
_gat	Google	Utilisé par Google Analytics pour diminuer radicalement le taux de requêtes	1 jour
_ga_#	Google	Utilisé par Google Analytics our recueillir des données sur le nombre de fois qu'un utilisateur a visité le site web ainsi que les dates de la première et de la plus récente visite.	2 années
_gd#	Google	Il s'agit d'un cookie de session Google Analytics utilisé pour générer des données statistiques sur la façon dont vous utilisez le site Web, qui est supprimé lorsque vous quittez votre navigateur.	Session
_gid	Google	Enregistre un identifiant unique utilisé pour générer des données statistiques sur la façon dont le visiteur utilise le site.	1 jour